I would think that such a number depends upon a lot of things...visibility being one.

Some organizations do, in fact, have a "seasoned" infosec team. As an incident responder, I most often dealt with organizations that, while storing/processing a great deal of "sensitive data" (select your definition of choice), had no infosec team, or they had a team that was so hamstrung by internal politics that it was simply ineffective.

I would think that such a number depends upon a lot of things...visibility being one.

Some organizations do, in fact, have a "seasoned" infosec team. As an incident responder, I most often dealt with organizations that, while storing/processing a great deal of "sensitive data" (select your definition of choice), had no infosec team, or they had a team that was so hamstrung by internal politics that it was simply ineffective.

Wow. So in your experience, if you actually have the ability to detect compromised computers, you can often expect to find around that many per day?

That seems like an awful lot. Although, I guess I can see how it can happen with malware spreading, or with how easy an attacker can often get domain admin.

...s that even with a seasoned infosec team, you should expect to find 20-50 compromised computers a day with a network of 1,000 computers?

I'm not sure I would use the word 'compromised', though I would not hesitate about 'being involved in an incident'. (Though I personally don't think 'alarm' = 'incident'.) But that depends a lot on the organization and what it considers an incident. 'Being reported as compromised', OK -- that's what any AV solution does. (Added: and if some conscientous backup manager tests the backup system by restoring the oldest backup tapes in store to a server which happens to have the latest heuristic virus-detection, an dpolicy requires each AV alarm to be counted as an incident, the average number of 'incidents' per day will increase sharply just by that action alone.)

Incident, in the case I am thinking of here, involved 'compromises' as well as anti-virus alarms, including adware and jokes, as well as finding suspect network traffic (skype, p2p, etc. -- usually from consultants trying to use their computers in a way that was not allowed), and trying to connect to websites blacklisted by Bluecoat, and so on.

This is based on filling in as an incident dispatcher (i.e. sending alarms on to the correct incident responder/investigator) for a couple of months in an organization that was/is approximately that large.

Of those, the number of real compromises, after due investigation, was considerably smaller.

@athulin, Compromised was the blog authors term. He suggested that while there would be a ton of results from searching for IOCs, that most would not be false positives. Even a great, highly trained, and mature infosec team should expect 20-50 compromised computers per day 7 days a week.

If that's anywhere near what others are experiencing, that's pretty surprising to me.

Wow. So in your experience, if you actually have the ability to detect compromised computers, you can often expect to find around that many per day?

In my experience, it varies. It doesn't take malware spreading to cause massive compromises and infections. If you don't have visibility into what's happening on the network and endpoints, anything can happen without you seeing. Then, when something does happen that becomes visible to you, often, it's one of many.

I've seen boxes that were "thought" to have been infected as part of an incident, but weren't...the infection or compromise on that box had nothing to do with the incident we were investigating. I've seen systems thought to have been hacked by one party, only to find out that three or four parties are all accessing the system.

So...it varies. It depends. I would think that the data set discussed in the article showed just that...but that's one data set, at one point in time.